Visible to Intel only — GUID: GUID-9D9ADDFB-DC92-4229-8CE3-739816C00166
Implementing Remote Secure Erase
Intel® Active Management Technology (Intel® AMT) version 11.0 introduces a new feature called Remote Secure Erase (RSE). RSE is designed to allow IT administrators to remotely wipe the hard disk of the client device supporting AMT (v11.0 or above).
When an employee leaves the organization, the IT administrator will collect the PC - erase the disk drive, reload the OS and applications as needed. Remote Secure Erase combined with other Intel® AMT redirection features (IDE-R, KVM) allows the IT administrator to securely erase the whole disk drive (bootable partition) and using KVM and IDE-R can provision OS and applications remotely.
Below are the platform requirements for RSE support:
- Platform with Intel AMT 11.0 or later
- BIOS supporting Intel RSE capability
- Intel® SSD Professional Family (Pro 6000p Series, Pro 5400s Series, Pro 2500 Series, Pro 1500 Series, )
In order to add support for Intel RSE to your solution, you will need the and the Intel® AMT SDK Documentation and Implementation guide.
The following are the steps for implementing the Intel RSE solution:
- IT administrator sets user and master hard drive password on the PC before deploying it to the employee.
- System discovery – ISV to verify if the system supports the Intel RSE feature or not (AMT_BootCapabilities.SecureErase).
- Only for the systems supporting the Intel RSE feature, ISV application would provide an option to perform secure erase in their management console
- When initiating the secure erase operation, ISV console will prompt the IT administrator for the master password configured for the drive.
- ISV will use the IT administrator-provided master password to set boot options to secure erase and send password to AMT and reboot the platform.
- To check the progress of the erase operation, ISV queries AMT_BootSettingsData.BIOSLastStatus and expects to see the first element of status to report as InProgress. This indicates that remote secure erase operation has started. Erase operation time varies by the size of the disk being operated on.
- The first item of BIOSLastStatus would change to either 0 – success or 65535 – failed.
- If status changes to 0, BIOS automatically clears the boot options and ISV console can display a message for successful erase operation.
- If status changes to 65535, examine the second item of BIOSLastStatus to get the detailed error message. In case of failure, boot options are not cleared. So depending on the detailed error message, ISV console can either stop the operation or retry. If the boot operation stopped, boot options will need to be cleared through WS-Man command. For a retry attempt, depending on system power state, either power up or reset the platform to try the secure erase operation on the next boot.
The PowerShell* script (see attachments) demonstrates the usage of the Intel AMT RSE feature with code snippets. For information on running PowerShell scripts with the Intel® vPro™ technology module, please refer to the Intel® AMT SDK and related Intel® AMT Implementation and Reference uide.
After establishing a connection, the script demonstrates the flow as described above. (Note: you will need to enter the proper credentials and machine address for your client system.)
This should provide all the items you need to start using the feature. If you have questions, please post them to the Intel® Business Client Software Development Discussion Forum.
*No product or component can be absolutely secure.
Parent topic: Remote Secure Erase